 So I'm going to use the alternative title for this talk, which is the quest for a bound that was not rational, which will become clear in a slide or two. So yeah, this is joint work with Juan Garay, Yuvalisai, and Rapha Strovsky. And we're going to be looking at the problem of secure multi-party computation, NPC. We have N parties, each party has its private data, and they want to perform some joint computation by running a protocol where they exchange messages over some communication network. Here it's going to be point-to-point analyst. And the protocol should be secure, meaning that even if an adversary goes and corrupt parties, he cannot disrupt privacy, namely he doesn't learn anything he's not supposed to, or correctness, namely the honest parties get the correct output. So more concretely here, we're going to be looking at information theoretic NPC, with the dishonest majority and no setup. So we have M parties, M minus one of them might be corrupted and they have no setup. What do we know about this setting? We know we cannot do it. So it's impossible to do it even for the simplest corruption with the same honest corruption. So are there walk-arounds? Likely there are. We can either assume a trusted setup, but this means we need trust, which we don't want, or we can resort to computational security. But even there, if we want something strong and like strong composition guarantees like UC security, we will again need a setup. And that's also something we want to avoid. Another idea is the parties are nowadays servers. They are connected to the internet, which is a huge network of parties itself. So maybe they can use the help of these servers to do the computation. So this naturally leads to the so-called NPC in the client server model, where the parties are now clients, that's how we're going to call them. They have their inputs, they want to perform a computation of the function, and we have a huge with respect to the number of clients, number of servers. And because this number of servers is huge, the goal is not to use all of them and not to communicate too much. So essentially we want sublinear communication complexity in the size of the server set, in the size of the internet. And in this work we consider two clients and then servers, but whatever I say here very easily extends to the case of a constant size client set with dishonest majority. All right. So about the adversary, as I said, we want information security. So the adversary is computationally unbounded. He can corrupt any of the two clients and additionally any T of the servers. And we're going to be looking at bounds on T that allow NPC with sublinear communication. And he can be semi honest or passive, namely he just looks at the view of the parties and tries to extract information. Or he can be malicious or active, meaning that he makes the parties misbehave arbitrarily. And we'll also consider static and adaptive, both cases. Static means the adversary corrupts everyone at the beginning of the protocol. Adaptive means that while the protocol evolves and depending on his view he corrupts more parties. And even more for adaptive corruption we're going to consider both the case where honest parties might be able to erase, making it harder for the adversary to see their history when they're corrupted. And the case where they cannot erase. So what do we know if we're okay, if we're okay with a quadratic communication complexity and when I say quadratic, I mean a quadratic number of bits per multiplication gate of the circuit representing the function we want to compute. Then already from the 80s we have results that solve this for the semi honest case. We can tolerate arbitrary corrupted minorities. And for the malicious case, Robin and Ben are assuming broadcast gives us the same bound for actually it's for adaptive, but here we're only going to consider static. So what happens if we want less communication? There's a lot of work. I just have some work here, Indicatively to just demonstrate that we achieve the same bound, sorry, we achieve the same bound or at least asymptotically the same bound. And actually some of these works even get sublinear communication complexity as a multiplicative factor of the circuit size. But I want you to notice that all those have an additive polynomial factor in the player set. So if the circuit is huge, this doesn't really matter. But if the circuit is small, then those works, this polynomial factor actually dominates the complexity. So what we are after here is an absolutely, if you want sublinear communication complexity, namely we want that we have a sublinear multiplicative factor with the circuit size or a smaller O of N and then no additive polynomial factors. And as you already see here, the situation changed drastically, right? Before we have a half, both in the case of quadratic and in the case of linear or sublinear. Here we have a completely different landscape. So for the semi-honest case, it's roughly the same asymptotically the same, at least it's one half minus epsilon, which is a tight bound for the static case, sorry. When we go to the adaptive case without erasers, the situation is completely devastating. Here we cannot tolerate any constant fraction of corruptions. So, but we can tolerate sublinear. So we can just tolerate a very, very, very restricted adversary. And the most interesting case is actually that of adaptive security with erasers. And I should point out here that I have this ordering, usually in MPC, when we have adaptive security with erasers, it's life is easier than without erasers. This is not the case here, as you're gonna see in the remainder of the talk. So the bound in the adaptive security with erasers is this asymptotically close to one minus square root of 0.5, which might look arbitrary, but it's not, it's actually tight. So, and this justifies the title. This is the first bound which is not rational. So now the obvious open question is can we get a bound which is imaginary? Not an imaginary bound, a bound which is imaginary. Okay, we also scratch the surface of the malicious case only for the static adversary and prove that the same bound that we have for the semi-honest works for the malicious as well, modular that we might abort the computation there. All right. So I'm gonna focus for the rest of the talk to the semi-honest case and look at the static adaptive without erasers and adaptive with erasers to give you some idea of how the results are. Okay, let's start with a very, very simple case, static correction. So here we wanna prove that this nearly one half fraction of corruption works, so we can have a protocol for that and the protocol is extremely simple. It's actually the folklore protocol. We have any of the two clients choose a committee of a polylog size and then this committee runs one of the existing protocols which are quadratic communication complexity because the committee is randomly chosen and it's of a polylog size, we have a non-est majority and because it's a polylog size, polylog square is a polylog so the total communication complexity will be sublinear. Very simple. Okay, now why is this tight? And actually it's tight in a strong manner, so if we go a constant number, not fraction close to one half, then we cannot tolerate this adversary. For that we're gonna use an possibility result from the literature by Hilton and Maurer, which it's easier to look at the picture to understand the intuition of the result. So the result says that if there are two sets, Q1 and Q2 that cover the entire server set and then C1 is in one of them and C2 is in the other, so if we have such a covering in terms of union of two sets of the entire party set, then there are functions we cannot compute. So if the adversary can corrupt either this one or that one with noticeable probabilities, there are functions we cannot compute. And how are we gonna use it? So let me just replace this O of one with a constant. So for our case, for proving that, let's start with a simple case. If epsilon is zero, if epsilon is zero, then this thing here means that we have a corrupted majority and this means that the adversary can corrupt C1 and the first half of the parties or he can corrupt C2 and the second half of the parties. He can do both, or either actually. And the union of those two choices cover the entire party set. Therefore, HM kicks in, we cannot compute the end gate. Now, the case where the constant epsilon is greater than zero is slightly more involved but not too much. So the general idea here is that the adversary can play the I feel lucky strategy. So he will choose epsilon parties and ignore them and apply the same strategy as before to the remainder N minus epsilon servers. And now the idea is that because we want sublinear communication complexity, there can only be a sublinear number of servers that speak throughout the protocol. So with noticeable probability, this set that the adversary ignores will not hit the set that speaks. And therefore, this union is on all servers that actually matter for the computation and therefore again, HM kicks in. That's the general intuition. All right, so now building towards the most interesting case which is the adaptive corruption with erasures, I will start with a case where we don't have erasures. As I said here, the situation is pretty bad. We cannot tolerate any constant fraction of corrections. And to see that, you need to consider an adversary that uses a follow the money type of strategy or rather follow the message type of strategy. So let's look again at the protocol execution like one instance to see what the strategy is like. So let's say in first round C1 sends a message, then these guys extends a message, then these guys extends a message, then these guys extends a message, and maybe C1 and C2 extends several messages after that. So this follow the message strategy is as follows. The adversary injects, you can think of it like that, injects corruption through either of the client. So he starts with C1 and corrupts in the end of the protocol, corrupts whoever talked to him in the protocol, and then corrupts whoever talked to those guys in the protocol, and then corrupts whoever talked to those guys in the protocol, but he never corrupts C2. The adversary could do the same thing from C2, corrupt C2 and whoever talked to him in the protocol. And now it's not hard to see that all the servers that ever speak in the protocol can be split in three sets. They might not be disjoint, but this doesn't matter. So this is the set Q1, corrupted by the adversary injecting corruption through C1. The set Q2, corrupting by the adversary, adversary two, injecting corruption through C2. And there's a bunch of guys that are doing something completely foolish. They just talk to each other and never communicate with any component connected to the servers. Hence, we can just ignore those guys. So their view is independent of the computation we can simulate. So if we ignore those guys, or if we give those guys to the adversary for free, then what we get is that the union of the sets that are corrupted covers everyone who speaks in the protocol. And once again, HM will kick in and so that you cannot compute the end gate. So that's the possibility. And the reason why the adversary can do this follow the message attack is because he has a linear budget and the only sublinear number of parties can speak through the protocol so that we maintain sublinear communication complexity. All right, so now about the protocol, this is even simpler. The adversary is very weak. He can only corrupt a sublinear number of parties and therefore we can again use the folklore protocol. Two times sublinear is sublinear. So let's just use more parties than the adversary can corrupt the majority of. C1 chooses two times the corruption budget plus one, which is sublinear, and we have them do the computation. Since this is sublinear, the computation complexity will be sublinear and since there are too many for the adversary, even adaptively to corrupt, you can only corrupt half of them. BGW will be secure and we're done. So this is a very pessimistic bound which is very easy to prove. Okay, so now going to the most interesting case which is adaptive corruption with erasers. And here I would like to demonstrate why there's hope, why the follow the message attack does not work. And let's look again at a run of the protocol. Let's assume that we start and this party here, this server here sends a message to that guy. Then he sends a message M2 to that guy. And then what happens is that he raises M1 and forgets who that guy is and this guy forgets who that guy is entirely. They erase this information. And then this guy sends a message M3 to C1. It's easy to see that because M2 originated from that guy which originated from that guy while he knew M1, this message here, hence the view of C1, depends on M1. Now, assume that the protocol proceeds and this guy sends a message M4 and erases M4 and both erases the information of who sent the message to whom. And then in the next round M5 is sent here. And once again, same argument, M5 will depend on M4 which potentially depends on M1. Now, if we use the injecting corruption strategy here, the adversary can corrupt, he corrupts C1, he goes and corrupts the guy that talks to him, he corrupts the guy that talks to him and he's stuck. And on the other side he corrupts C2, corrupts the guy that talks to him and he's stuck. So now what we have is we have these two sets that do not cover everyone who's relevant for the computation. So this guy has a message which is correlated with the view of C1 and C2. And this means that we cannot use HM anymore. So this doesn't mean that we have a protocol but it means there's hope. And in order to explore this hope, the challenge is to figure out how we can activate the parties and route the messages so that the adversary cannot actually use this follow the message attack. And I'm gonna describe how, this is actually what I meant by the quest for a bound that was not rational. I'm gonna give you several solutions which are flawed leading to the final correct solution. The first solution, I'm gonna call dictatorship. This is actually the folklore protocol where we have one party, one client, C1, say he's the dictator, he chooses who is gonna help in the protocol, announces it and those guys help. This is clearly bad in the adaptive corruption case. Why? Because the adversary is gonna corrupt C1, he's gonna corrupt everyone that he suggests and therefore in this way he has everyone corrupted and hence we cannot do anything with them. So bad idea. What's better than dictatorship? Parliamentary democracy. So here C1 suggests his set of helpers, C2 suggests his set of helpers and together all those helpers help the parties run the protocol. This is clearly seems better but unfortunately it doesn't work. Why? Because the adversary can corrupt C1 and Q1, everyone he suggests, or C2 and Q2 everyone he suggests, those are again two sets that cover the entire set of parties that play in the protocol. It's empty scene, we cannot compute the end gate. The end gate is right. Okay, so what is the problem with these solutions? The problem is that the clients choose their helpers. So what can we do to circumvent this issue? We can have the helpers choose themselves, they volunteer, which leads me to the third type of protocols which I call non-government organizations or NGOs. Here any server might wake up with probability polylogue N over N. This will guarantee that no more than polylogue many servers wake up and he volunteers to help. So now the challenge is that we need to make sure that he doesn't help too much. If he speaks to the same guy in too many rounds then he gives too many chances with the adversary to corrupt. So what we're gonna do is we're gonna use a volunteering strategy which is us as non-interactive as possible and for that we're gonna use a oblivious transfer or pre-computed oblivious transfer. So what is oblivious transfer? Very briefly we have a sender that has two messages and a receiver that wants to receive one of them so that he learns nothing about the other message and the sender doesn't learn which message was received. So this is oblivious transfer. It's a fantastic primitive because it's complete for information theoretic MPC. If we can do that we can compute any function. So for the remainder of the talk we're gonna focus on implementing OT. And how are we gonna do it? How are the servers gonna help implementing OT? They're gonna act as OT dealers. So there is a way to pre-comput OT so that a dealer can compute a pair, so a value for the sender and a value for the receiver and distribute this pair and later on sender and receiver can use, doesn't really matter the protocol but matters is that they can use this pair to implement OT by the communication complexity which is the same as that of this pair. So the challenge now is to do this pre-computer OT in a way which cannot be followed the message kind of attack. Okay, so first attempt, the simple one. So just choose the pair, so the guy wakes up, he choose the senders and the receivers part, sends the part of the sender to the sender the part of the receiver to the receiver. Now if we do that, again, the adversary has corrupted C1, he can jump and corrupt the server here and then learn the other part of the pair. So it doesn't help much. So what can we do to avoid that? We can actually randomize who gets the message first. The guy that gets the message second doesn't have this chance if we erase. So what we can do is this guy again wakes up by himself, he prepares the pair and then he flips a coin to see who he's gonna talk to first. Let's say the coin says C1, he talks to C1, he erases and then talks to C2. Now it's easy to see that if the adversary has corrupted C2, who's the second guy that gets the message, he doesn't get anything by corrupting that guy at the point where C2 gets the message from him. Why? Because this has been erased. So we are actually quite good. This means that the probability, since we are choosing who goes first with probability one-half, the probability that both pairs are corrupted by having corrupted the client is now one-half, which does seem pretty good, but it's not enough. Because if any of those pairs is corrupted through probability one-half, then we are stuck with a setup where half of it is corrupted roughly and we cannot really do something with it. But if we could get somehow to a setting where less than one-half of these OTs are corrupted, then we're game, then we can do OT. We can use an OT combiner and compute a good OT that then allows us to do everything. Okay, so here's a way to get there. So this error once again wakes up, he prepares an OT pair, but doesn't speak to the clients. Instead, he volunteers someone else. He volunteers an intermediary and he sends him part of this OT pair and they both erase everything else, its other identity and the part that they don't know. And then they contact the clients. Now it's easy to see that in this protocol, by corrupting a client, the adversary doesn't get anything, right? Because by the time this client is contacted by a server, the information, the other half of the OT has been erased. But now we have another problem. And the problem is that unlike before, where an adversary that tries to throw darts on the servers and corrupt parties had one chance to hit the OT pair, now he has two. He can actually, at the beginning of the protocol, throw darts and if he hits that guy or that guy, in both cases, he corrupts the entire OT pair. So we double the chances that he does it, which kind of sucks. By now, probably you're fed up with wrong solutions. This is not wrong, this is the right solution. So this is the best we can do. We have a lower bound matching that. Okay, so by then I should say that the protocol, in the end of all this thing, uses an OT combiner to get a good OT, right? So very briefly, how does this protocol secure when this bound one minus square root of 0.5 holds? And that will also show you where the square root of 0.5 comes from. Let's look at the sketch of the proof. So and I will start with what I call the jackpot scenario, right? Which is the easiest to describe and actually the best for the protocol. And this is the one where by luck, the volunteers and the intermediaries are arranged in a perfect matching. There's no collusion. So no two volunteers speak to the same intermediary. So this I call the jackpot scenario. If this scenario occurs, let's look at what's the probability that one of those edges gets corrupted, meaning both those guys get corrupted, meaning the OT entirely gets corrupted. So this probability, because those edges appear completely randomly, right? This is a perfect matching. This probability is the probability that the adversary randomly hits that guy, corrupts him or randomly corrupts that guy, minus the probability that he corrupts both randomly because we counted this twice. And if we have a fraction tau of corruptions, this probability will be t plus t minus t square to t minus t square. So if we want half of those edges to be uncorrupted, which will yield to half of the OT's being uncorrupted, then what we need to do is solve this equation here. And this will give us t less than one minus square root of 0.5. So this is the turning point. So if we have tau less than that, then any of those edges is corrupted with less than probability, one half independently. And therefore, with overwhelming probability, the majority of those edges will be honest. And then we can use an OT combiner on them. So as I said, this is a dream scenario. The actual scenario is not like that. It's more like that. So there might be collisions, right? So we do random things. So it might be that the same volunteer is chosen by two intermediaries. This is not a problem because there's so few players, that's so few servers that speak, sublinear number, so that these collisions are very, very, very few. So what we can do is we can simply give them all for free to the adversary. Everyone who's in sets over connected component can be given for free to the adversary and still we will have a majority of the edges that appear here being honest. Okay, so now going to the negative result. Why we cannot do anything better than one minus square root of 0.5. And in the next one minute, I'm gonna describe you the most technical proof of the paper, which means that I'm gonna give you a very, very, very high level intuition, which is floating many ways, but hopefully in one minute you won't notice. Okay, but the intuition, this is the intuition. So having that, you can do, you can at least understand why it's actually lower bound. Okay, so assume that the adversary corrupts more than that many guys. And now let's look again at these two cases. So the dream scenario, where we have a perfect matching, in that scenario, if the adversary corrupts, this is the turning point, which means that if the adversary corrupts more than that many parties, then each edge is corrupted with probability at least one half. And therefore, he has a decent chance and also a probability of corrupting a majority of the edges, which means that we cannot do anything. Now if, this is a dream scenario, right? In the non-dream scenario, we have overconnected components, which actually give the adversary more chances to corrupt, right? Because by corrupting an edge, he can just jump and corrupt the rest of the component. So in the other case, he can corrupt even more. So which means that if this is a lower bound for the dream scenario, it's definitely a lower bound for the other case. Once again, this is a very, very, very vague sketch. The actual form of impossibility goes through a novel adversary that we introduced, which we call probabilistic adversary structures. Those are described by a probability distribution over player set, over subset of the player sets. And the distribution, this probability depends on both the coins of the adversary and the coins of the protocol, so that we can capture adaptive corrections. Okay. So this kind of completes my talk. This is the bounds that we have. And there's a bunch of open problems. Like, you know, we, as I said, everything I say extends to constant number of clients. How about super constant? What happens with the other cases of active corruption, like adaptive or corruption without a board? What happens with fairness? This is actually, those are part of ongoing work. And another very interesting question is, what are complete bounds for probabilistic adversary? So this is a new type of adversary. We don't know exactly what is a complete characterization. And I think that's a very interesting problem. Okay. And with that, I'd like to thank you.